Chris Wysopal

Last updated
Chris Wysopal
Web Summit 2017 - FullStk CG1 9975 (24416226898).jpg
Born (1965-12-01) 1 December 1965 (age 58)
Alma mater Rensselaer Polytechnic Institute
Occupation(s) Entrepreneur, CTO, Security researcher
Known for Software Security
SpouseDebra Wysopal m. 2008
Children3

Chris Wysopal (also known as Weld Pond [1] ) is an entrepreneur, computer security expert and co-founder and CTO of Veracode. [2] He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

Contents

Chris Wysopal was born in 1965 in New Haven, Connecticut, his mother an educator and his father an engineer. He attended Rensselaer Polytechnic Institute in Troy, New York where he received a bachelor's degree in computer and systems engineering in 1987.

Career

He was the seventh member to join the L0pht. His development projects there included Netcat and L0phtCrack for Windows. He was also webmaster/graphic designer for the L0pht website and for Hacker News Network, the first hacker blog. He researched and published security advisories on vulnerabilities in Microsoft Windows, Lotus Domino, Microsoft IIS, and ColdFusion. Weld was one of the seven L0pht members who testified before a Senate committee in 1998 that they could bring down the Internet in 30 minutes. [3] When L0pht was acquired by @stake in 1999 he became the manager of @stake's Research Group and later @stake's Vice President of Research and Development. In 2004 when @stake was acquired by Symantec he became its Director of Development. In 2006 he founded Veracode with Christien Rioux and serves as CTO. In 2017 Veracode was acquired by CA Technology for $614M. [4] Veracode was subsequently spun out and became independent once again by being purchased by Thoma Bravo for $950M. [5] Wysopal continues to serve as CTO.

In 2018 Wysopal joined the Humanyze board of directors. [6]

Wysopal was instrumental in developing industry guidelines for responsible disclosure of software vulnerabilities. He was a contributor to RFPolicy, the first vulnerability disclosure policy. Together with Steve Christey of MITRE he proposed an IETF RFC titled "Responsible Vulnerability Disclosure Process" in 2002. The process was eventually rejected by the IETF as not within their purview but the process did become the foundation for Organization for Internet Safety, an industry group bringing together software vendors and security researchers of which he was a founder. In 2001 he founded the non-profit full disclosure mailing list VulnWatch for which was moderator. In 2003 he testified before a United States House of Representatives subcommittee on the topic of vulnerability research and disclosure.

In 2008, Wysopal was recognized for his achievements in the IT industry by being named one of the 100 Most Influential People in IT by eWeek [7] and selected as one of the InfoWorld CTO 25. [8] In 2010, he was named a SANS Security Thought Leader. [9] In 2012, he began serving on the Black Hat Review Board. He was named one of the Top 25 Disruptors of 2013 by Computer Reseller News. [10] In 2014, he was named one of 5 Security Thought Leaders by SC Magazine. [11] In 2023, Chris was named a Cybersecurity Visionary by CyberScoop. [12]

Patents

U.S. Patent 10,275,600, Assessment and analysis of software security flaws

U.S. Patent 9,672,355, Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security

U.S. Patent 8,613,080, Assessment and analysis of software security flaws in virtual machines

Publications

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">L0pht</span> American hacker collective

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. The group famously testified in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’.

L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder.

<span class="mw-page-title-main">Peiter Zatko</span> American computer security expert

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures and Ted Julian. Its initial core team of technologists included Dan Geer and the east coast security team from Cambridge Technology Partners.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

<span class="mw-page-title-main">Mark Kriegsman</span> Entrepreneur and software engineer (born 1966)

Mark Edwin Kriegsman is an American entrepreneur, computer programmer, inventor, writer, and former Director of Engineering at Veracode.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

SourceClear or SRC:CLR was an American software company with its namesake security tool for software developers. SourceClear focused on open-source software development, plugging into developers' existing workflows and examining security risks of open-source and third-party code in real time. The company was headquartered in San Francisco, California with an office in Singapore. It had customers in the technology, social media, retail, finance, and defense industries. In October 2015, it announced a $10 million Series A round of funding. In 2018 it was acquired by CA Technologies; after which it was folded into Veracode.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Cris Thomas</span> American cybersecurity researcher and hacker

Cris Thomas is an American cybersecurity researcher, white hat hacker, and award winning best selling author. A founding member and researcher at the high-profile hacker security think tank L0pht Heavy Industries, Thomas was one of seven L0pht members who testified before the U.S. Senate Committee on Governmental Affairs (1998) on the topic of government and homeland computer security, specifically warning of internet vulnerabilities and claiming that the group could "take down the internet within 30 minutes".

<span class="mw-page-title-main">Alex Stamos</span> Greek American computer scientist

Alex Stamos is an American computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. "L0pht in Transition". April 2007. Retrieved Nov 26, 2012.
  2. Fitzgerald, Michael (2007-04-22). "PROTOTYPE; To Find the Danger, This Software Poses as the Bad Guys". The New York Times. Retrieved 2012-11-26.
  3. "Weak computer security in government: Is the public at risk?". May 19, 1998. Retrieved Nov 26, 2012.
  4. "CA Technologies to Acquire Veracode". Reuters. Mar 6, 2017.
  5. "Veracode Acquired for $950M as Broadcom Closes CA Acquisition". November 5, 2018.
  6. "Veracode co-founder joins board of 'people analytics' startup Humanyze". Mar 29, 2018.
  7. "100 Most Influential People in IT". eWEEK. Retrieved 2018-11-22.
  8. "2008 InfoWorld CTO 25: Chris Wysopal, Veracode | InfoWorld | Award | 2008-06-02 | By Doug Dineley". 2008-06-07. Archived from the original on 2008-06-07. Retrieved 2018-11-22.
  9. "SANS Institute". www.sans.org. Retrieved 2018-11-22.
  10. Whiting, Rick. "The Top 25 Disrupters Of 2013". CRN. Retrieved 2018-11-22.
  11. "Reboot 25: Thought leaders - SC Magazine". www.scmagazine.com. Archived from the original on 2015-01-08.
  12. Mitchell, Billy (2023-11-15). "Announcing the winners of the 2023 CyberScoop 50". CyberScoop. Retrieved 2023-11-29.